Privacy policy

PharmaDiagrams is made by Blynksolve Ltd, a company incorporated in Ireland. In this policy, “Blynksolve”, “we”, “us” and “our” mean Blynksolve Ltd. “PharmaDiagrams” means our browser-based editor for process flow diagrams and P&IDs, together with the website at pharmadiagrams.com.

This policy explains what personal data we handle, why, and what you can do about it. It covers both this website and the PharmaDiagrams product.

For any question about your data, email contact@pharmadiagrams.com or use our contact page. Because we are based in Ireland, our lead supervisory authority is the Irish Data Protection Commission.

Data protection law splits responsibility between a controller (who decides why and how data is used) and a processor(who handles data on the controller's instructions). We act in both roles, depending on the data.

We are the controller for the people who visit this website, the people who hold an account with us, and the data we need to run our business: billing, support, and product improvement.

We are the processor for the content you put into the product: your drawings, comments, version history, and the audit trail. Your organisation decides why that content exists and what happens to it; we hold and process it on your instructions. If your organisation has a data processing agreement with us, that agreement governs this content. A data processing agreement that meets GDPR Article 28 is available on request.

We try to collect as little as we can. Here is what we hold, grouped by how it reaches us, with the lawful basis for each.

When you visit this website. We use privacy-friendly analytics that count visits without cookies and without building a profile of you (see Cookies and analytics). The basis is our legitimate interest in understanding, in aggregate, how the site is used.

When you contact us. Our contact, demo, and newsletter forms ask for your name, email, company, and your message. We use this to reply and to follow up. The basis is our legitimate interest in answering you, or taking steps at your request before any contract.

When you have an account. We hold your name, email address, a hashed password, any multi-factor authentication details, and a record of how you use the product (for example, sign-in events and which features you use). The basis is performance of our contract with you, and our legitimate interest in keeping the service secure and working well.

When you pay for a plan. For a paid plan we hold billing details such as your name, company, billing address, VAT number, and invoice records. The basis is performance of our contract and our legal obligations under Irish tax and company law.

The content you create in the product.Your drawings, comments, electronic signatures, and audit-trail entries may contain personal data, usually the names and timestamps of the people who made a change. We process this content as a processor, on your organisation's instructions, not for our own purposes.

We do not knowingly collect special-category data (such as health data). A process diagram describes equipment and streams, not people; the personal data in the product is the workplace identity layer around it.

This website does not use advertising cookies and does not track you across other sites, so it shows no cookie banner. Our analytics provider, Plausible, counts page views without cookies and without personal data, and its data is held in the European Union.

The product uses a small number of strictly necessary cookies to keep you signed in and to keep your session secure. These are required for the product to work and are not used for advertising.

We do not sell your personal data, and we do not share it for advertising. We use a small set of trusted providers (sub-processors) to run the service. Each one is bound by a contract that limits them to our instructions.

This list reflects our current sub-processors. The authoritative, up-to-date list is available on request, and we give notice before it changes. We do not currently use a third-party payment provider; if that changes, we will add it to this list and give notice first.

We may disclose data where the law requires it, for example to comply with a valid legal request, or to protect our rights, our users, or the public. We push back on requests that are not lawful.

Your account data and the content you create in the product are stored in the European Union. Under our current setup, that data does not leave the EU.

The one exception is email. Messages you send us through the website pass through our email provider, which is based in the United States. That transfer is covered by appropriate safeguards, namely the EU Standard Contractual Clauses and, where it applies, the EU-US Data Privacy Framework. If we ever introduce another transfer outside the EU, we will rely on a lawful transfer mechanism and update this policy.

We keep personal data only as long as we have a reason to.

• Website analytics: kept in aggregate for trend analysis; it is not tied to you.
• Messages you send us: kept while we handle your query and for a reasonable period afterwards.
• Account data: kept while your account is active, and for a short period after you close it as backups cycle out.
• Content in the product:kept while your account or agreement is live. On your organisation's instruction we return or delete it; deleted copies then cycle out of backups within a set window.
• The audit trail: kept for as long as your agreement requires, to support traceability. Where personal data must be erased but the record must stay intact, we remove the personal fields and keep the structural record.
• Billing records: kept for the period Irish tax and company law require, which is at least six years.

We do not use your drawings, comments, or other content to train artificial-intelligence or machine-learning models, and we do not give them to third parties to do so. If we ever build a feature that learns from customer content, it will be opt-in, we will explain it clearly, and we will update this policy first.

Under the GDPR you have the right to ask us to do the following with your personal data:

• get a copy of it (access);
• correct it if it is wrong (rectification);
• delete it (erasure);
• limit how we use it (restriction);
• receive it in a portable, machine-readable form (portability);
• object to processing we base on legitimate interest, and withdraw any consent you gave.

To exercise any of these, email contact@pharmadiagrams.com. Where the data is content we hold as a processor, we will forward your request to your organisation, which is the controller, and help them answer it.

If you think we have handled your data wrongly, please tell us first so we can put it right. You also have the right to complain to the Irish Data Protection Commission or to the data protection authority in your own country.

Your data is encrypted in transit and at rest, hosted in the EU, and reachable only through your account. The product runs in the browser, with nothing to install. You can read more on our security and trust page, which is written to forward to a QA, IT, or security team.

PharmaDiagrams is a tool for businesses and the engineers who work in them. It is not directed at children, and we do not knowingly collect data from anyone under 16.

We may update this policy as the product and the law change. The date at the top shows when we last did. If a change is significant, we will make it clear, for example by email or a notice in the product.

For anything else, our contact page reaches a real person, and we reply within a couple of working days.